diff mbox series

[v2,5/6] tpm: tpm2_key: Extend parser to TPM_LoadableKey

Message ID 20240521031645.17008-6-jarkko@kernel.org (mailing list archive)
State New, archived
Headers show
Series KEYS: asymmetric: tpm2_key_rsa | expand

Commit Message

Jarkko Sakkinen May 21, 2024, 3:16 a.m. UTC
Extend parser to TPM_LoadableKey. Add field for oid to struct tpm2_key
so that callers can differentiate different key types.

Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
---
 drivers/char/tpm/tpm2_key.c               | 14 +++++++++++---
 include/crypto/tpm2_key.h                 |  2 ++
 security/keys/trusted-keys/trusted_tpm2.c |  4 ++++
 3 files changed, 17 insertions(+), 3 deletions(-)

Comments

Bharat Bhushan May 21, 2024, 5:47 a.m. UTC | #1
> -----Original Message-----
> From: Jarkko Sakkinen <jarkko@kernel.org>
> Sent: Tuesday, May 21, 2024 8:47 AM
> To: Herbert Xu <herbert@gondor.apana.org.au>
> Cc: linux-integrity@vger.kernel.org; keyrings@vger.kernel.org;
> Andreas.Fuchs@infineon.com; James Prestwood <prestwoj@gmail.com>;
> David Woodhouse <dwmw2@infradead.org>; Eric Biggers
> <ebiggers@kernel.org>; James Bottomley
> <James.Bottomley@hansenpartnership.com>; Jarkko Sakkinen
> <jarkko@kernel.org>; David S. Miller <davem@davemloft.net>; open
> list:CRYPTO API <linux-crypto@vger.kernel.org>; open list <linux-
> kernel@vger.kernel.org>; Peter Huewe <peterhuewe@gmx.de>; Jason
> Gunthorpe <jgg@ziepe.ca>; James Bottomley
> <James.Bottomley@HansenPartnership.com>; Mimi Zohar
> <zohar@linux.ibm.com>; David Howells <dhowells@redhat.com>; Paul Moore
> <paul@paul-moore.com>; James Morris <jmorris@namei.org>; Serge E. Hallyn
> <serge@hallyn.com>; open list:SECURITY SUBSYSTEM <linux-security-
> module@vger.kernel.org>
> Subject: [EXTERNAL] [PATCH v2 5/6] tpm: tpm2_key: Extend parser to
> TPM_LoadableKey
> 
> ----------------------------------------------------------------------
> Extend parser to TPM_LoadableKey. Add field for oid to struct tpm2_key
> so that callers can differentiate different key types.
> 
> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
> ---
>  drivers/char/tpm/tpm2_key.c               | 14 +++++++++++---
>  include/crypto/tpm2_key.h                 |  2 ++
>  security/keys/trusted-keys/trusted_tpm2.c |  4 ++++
>  3 files changed, 17 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/char/tpm/tpm2_key.c b/drivers/char/tpm/tpm2_key.c
> index 0112362e432e..59797dc232f1 100644
> --- a/drivers/char/tpm/tpm2_key.c
> +++ b/drivers/char/tpm/tpm2_key.c
> @@ -32,16 +32,24 @@ int tpm2_key_type(void *context, size_t hdrlen,
>  		  const void *value, size_t vlen)
>  {
>  	enum OID oid = look_up_OID(value, vlen);
> -
> -	if (oid != OID_TPMSealedData) {
> +	struct tpm2_key *key = context;
> +
> +	switch (oid) {
> +	case OID_TPMSealedData:
> +		pr_info("TPMSealedData\n");
> +		break;
> +	case OID_TPMLoadableKey:
> +		pr_info("TPMLodableKey\n");
> +		break;
> +	default:
>  		char buffer[50];
> -
>  		sprint_oid(value, vlen, buffer, sizeof(buffer));
>  		pr_debug("OID is \"%s\" which is not TPMSealedData\n",
>  			 buffer);

Maybe extend this print to say "neither TPMSealedData nor TPMLodableKey"

Thanks
-Bharat

>  		return -EINVAL;
>  	}
> 
> +	key->oid = oid;
>  	return 0;
>  }
> 
> diff --git a/include/crypto/tpm2_key.h b/include/crypto/tpm2_key.h
> index acf41b2e0c92..2d2434233000 100644
> --- a/include/crypto/tpm2_key.h
> +++ b/include/crypto/tpm2_key.h
> @@ -2,12 +2,14 @@
>  #ifndef __LINUX_TPM2_KEY_H__
>  #define __LINUX_TPM2_KEY_H__
> 
> +#include <linux/oid_registry.h>
>  #include <linux/slab.h>
> 
>  /*
>   * TPM2 ASN.1 key
>   */
>  struct tpm2_key {
> +	enum OID oid;
>  	u32 parent;
>  	const u8 *blob;
>  	u32 blob_len;
> diff --git a/security/keys/trusted-keys/trusted_tpm2.c
> b/security/keys/trusted-keys/trusted_tpm2.c
> index f255388d32b8..ce4c667c3ee3 100644
> --- a/security/keys/trusted-keys/trusted_tpm2.c
> +++ b/security/keys/trusted-keys/trusted_tpm2.c
> @@ -305,6 +305,10 @@ static int tpm2_load_cmd(struct tpm_chip *chip,
>  		payload->old_format = 1;
>  	} else {
>  		blob = key.blob;
> +		if (key.oid != OID_TPMSealedData) {
> +			tpm2_key_destroy(&key);
> +			return -EINVAL;
> +		}
>  	}
> 
>  	if (!blob)
> --
> 2.45.1
>
Jarkko Sakkinen May 21, 2024, 7:13 a.m. UTC | #2
On Tue May 21, 2024 at 8:47 AM EEST, Bharat Bhushan wrote:
>
>
> > -----Original Message-----
> > From: Jarkko Sakkinen <jarkko@kernel.org>
> > Sent: Tuesday, May 21, 2024 8:47 AM
> > To: Herbert Xu <herbert@gondor.apana.org.au>
> > Cc: linux-integrity@vger.kernel.org; keyrings@vger.kernel.org;
> > Andreas.Fuchs@infineon.com; James Prestwood <prestwoj@gmail.com>;
> > David Woodhouse <dwmw2@infradead.org>; Eric Biggers
> > <ebiggers@kernel.org>; James Bottomley
> > <James.Bottomley@hansenpartnership.com>; Jarkko Sakkinen
> > <jarkko@kernel.org>; David S. Miller <davem@davemloft.net>; open
> > list:CRYPTO API <linux-crypto@vger.kernel.org>; open list <linux-
> > kernel@vger.kernel.org>; Peter Huewe <peterhuewe@gmx.de>; Jason
> > Gunthorpe <jgg@ziepe.ca>; James Bottomley
> > <James.Bottomley@HansenPartnership.com>; Mimi Zohar
> > <zohar@linux.ibm.com>; David Howells <dhowells@redhat.com>; Paul Moore
> > <paul@paul-moore.com>; James Morris <jmorris@namei.org>; Serge E. Hallyn
> > <serge@hallyn.com>; open list:SECURITY SUBSYSTEM <linux-security-
> > module@vger.kernel.org>
> > Subject: [EXTERNAL] [PATCH v2 5/6] tpm: tpm2_key: Extend parser to
> > TPM_LoadableKey
> > 
> > ----------------------------------------------------------------------
> > Extend parser to TPM_LoadableKey. Add field for oid to struct tpm2_key
> > so that callers can differentiate different key types.
> > 
> > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
> > ---
> >  drivers/char/tpm/tpm2_key.c               | 14 +++++++++++---
> >  include/crypto/tpm2_key.h                 |  2 ++
> >  security/keys/trusted-keys/trusted_tpm2.c |  4 ++++
> >  3 files changed, 17 insertions(+), 3 deletions(-)
> > 
> > diff --git a/drivers/char/tpm/tpm2_key.c b/drivers/char/tpm/tpm2_key.c
> > index 0112362e432e..59797dc232f1 100644
> > --- a/drivers/char/tpm/tpm2_key.c
> > +++ b/drivers/char/tpm/tpm2_key.c
> > @@ -32,16 +32,24 @@ int tpm2_key_type(void *context, size_t hdrlen,
> >  		  const void *value, size_t vlen)
> >  {
> >  	enum OID oid = look_up_OID(value, vlen);
> > -
> > -	if (oid != OID_TPMSealedData) {
> > +	struct tpm2_key *key = context;
> > +
> > +	switch (oid) {
> > +	case OID_TPMSealedData:
> > +		pr_info("TPMSealedData\n");
> > +		break;
> > +	case OID_TPMLoadableKey:
> > +		pr_info("TPMLodableKey\n");

These should be pr_debug() (forgot to change).

> > +		break;
> > +	default:
> >  		char buffer[50];
> > -
> >  		sprint_oid(value, vlen, buffer, sizeof(buffer));
> >  		pr_debug("OID is \"%s\" which is not TPMSealedData\n",
> >  			 buffer);
>
> Maybe extend this print to say "neither TPMSealedData nor TPMLodableKey"

Right, I tried to apply minimal delta to patches where existing code
needs to be carved to a new form :-)

I think it could be just "OID \"%s\" is unknown"?

BR, Jarkko
diff mbox series

Patch

diff --git a/drivers/char/tpm/tpm2_key.c b/drivers/char/tpm/tpm2_key.c
index 0112362e432e..59797dc232f1 100644
--- a/drivers/char/tpm/tpm2_key.c
+++ b/drivers/char/tpm/tpm2_key.c
@@ -32,16 +32,24 @@  int tpm2_key_type(void *context, size_t hdrlen,
 		  const void *value, size_t vlen)
 {
 	enum OID oid = look_up_OID(value, vlen);
-
-	if (oid != OID_TPMSealedData) {
+	struct tpm2_key *key = context;
+
+	switch (oid) {
+	case OID_TPMSealedData:
+		pr_info("TPMSealedData\n");
+		break;
+	case OID_TPMLoadableKey:
+		pr_info("TPMLodableKey\n");
+		break;
+	default:
 		char buffer[50];
-
 		sprint_oid(value, vlen, buffer, sizeof(buffer));
 		pr_debug("OID is \"%s\" which is not TPMSealedData\n",
 			 buffer);
 		return -EINVAL;
 	}
 
+	key->oid = oid;
 	return 0;
 }
 
diff --git a/include/crypto/tpm2_key.h b/include/crypto/tpm2_key.h
index acf41b2e0c92..2d2434233000 100644
--- a/include/crypto/tpm2_key.h
+++ b/include/crypto/tpm2_key.h
@@ -2,12 +2,14 @@ 
 #ifndef __LINUX_TPM2_KEY_H__
 #define __LINUX_TPM2_KEY_H__
 
+#include <linux/oid_registry.h>
 #include <linux/slab.h>
 
 /*
  * TPM2 ASN.1 key
  */
 struct tpm2_key {
+	enum OID oid;
 	u32 parent;
 	const u8 *blob;
 	u32 blob_len;
diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c
index f255388d32b8..ce4c667c3ee3 100644
--- a/security/keys/trusted-keys/trusted_tpm2.c
+++ b/security/keys/trusted-keys/trusted_tpm2.c
@@ -305,6 +305,10 @@  static int tpm2_load_cmd(struct tpm_chip *chip,
 		payload->old_format = 1;
 	} else {
 		blob = key.blob;
+		if (key.oid != OID_TPMSealedData) {
+			tpm2_key_destroy(&key);
+			return -EINVAL;
+		}
 	}
 
 	if (!blob)